Fortinet Reviews Malicious Code Activity During Jan 2006

January, by the numbers:
Top 10 threats caught by Fortinet's FortiGate security appliances in January 2006:

W32/Sober.AD-mm 15.42 %

Adware/BetterInternet 9.34 %

W32/Netsky!similar 8.41 %

W32/Grew.A!wm 7.88 %

HTML/Iframe_CID!exploit 6.23 %

HTML/Ebay-phish 3.46 %

W32/MyTob.fam-mm 1.93 %

W32/Mytob!similar 1.69 %

Adware/Websearch 1.66 %

Adware/ZangoSA 1.58 %

Top 5 new threats appearing in January 2006:

W32/Grew.A!wm 7.88 %

Adware/IstBar 0.67%

HTA/Sitex.A-tr 0.58%

W32/Secondthought.BA-tr 0.55%

W32/MyTob.EG-mm 0.15%

Top 10 countries reporting infections in January 2006:

United States of America 22.16%

Korea 7.71%

India 6.51%

Mexico 6.16%

Japan 4.66%

Taiwan 4.14%

France 3.29%

Israel 3.03%

Turkey 2.96%

Canada 2.91%

Virus Activity

Fortinet Statistics - January 2006

The most striking evolution this month is the - almost complete - disparition of Sober.AD. Its activity spectacularly dropped on January 6th, as the worm went from its spreading phase to an update phase. Fortunately, the locations where Sober is trying to fetch updates from are carefully monitored enough, and nothing has been made available there yet - and should not be in the future either.

"It's worth mentioning that after a careful analysis of the code, it is not going to go back to a spreading phase, ever" says Guillaume Lovet, Threat Response Team Leader at Fortinet. However, he continues, "the worm's authors - who have extensively proved that they were able to produce tremendously large outbreaks in the past - could very well seed new variants of the infamous 'propaganda' worm".

Another interesting figure this month is the BetterInternet adware activity profile. As this is not a worm, its activity is solely due to manual downloads and seedings. Now the figure shows peeks of activity on the 12th, 16th, 19th, 23rd and 26th. Conclusion: the crew behind that adware seed it via a script scheduled to run on every Monday and Thursday.

This month's figures clearly show the raise of the Grew worm (aka Kama Sutra, Nyxem, MyWife, Kasper...), which appeared on Monday the 16th January. Within two days, this very mediatic worm reached its highest peak of activity.

He Grew against the grain
According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet "The brand new Grew worm, is, by and large, what we could call an old- fashioned threat. With its aggressive seeding and its highly destructive payload, it really looks like a legacy from the early days, when virus authors would write malware for fun or glory, and not for making bucks."

"Within several days, Grew indeed infected hundreds of thousands of computer systems all over the world. Its payload is not set to spy on the infected users. It does not embed a bot, a proxy or a backdoor, nor does it display ads. Instead, it is set to damage files with the specific extensions on the infected computer, on the 3rd of every month" Lovet added.

The vulnerable file extensions are:

.doc

.xls

.mdb

.mde

.ppt

.pps

.zip

.rar

.pdf

.psd

.dmp

Purely harmful, timed payload and non-mercantile motives - in a nutshell, against the grain.

Now, the only two large outbreaks we have seen in months are courtesy of two worms (Sober and Grew) which underlying motive is not generating profit. According to Lovet, "This is consistent with our thought that cybercriminals willing to make money adopt a 'low-profile' attitude, and try to make as little fuss as possible."

"The fact various bot herders and phishers were arrested lately clearly indicates that high financial damage and/or large media coverage almost always lead you straight to courts," continued Lovet.

Feebs but ingenuous
This month saw many variants of the Feebs worm emerging - on average, almost one per day. Although none of them got anywhere near the prevalence of a top worm such as Grew or other elders like Netsky and MyTob, Feebs has many interesting aspects.

Among other features (rootkit, P2P propagation, reporting via icq, on-the-fly injection into emails sent by the infected user), this worm uses Javascript as its propagation vector: the worm body lays in an encoded string of a Javascript embedded into an .hta document. Whenever it runs, the Javascript decrypts the worm body, and executes it. The .hta document is then regenerated and mass-mailed by the worm engine. This yields two clear issues:

Javascript not being, by nature, a compiled language, the "packaging" part of the worm is readily available for re-use to anyone who knows a bit of scripting and gets his hands on a sample. Judging by the number of variants this month, that probably happened.

So far, the encoding algorithms have proved not to be truly polymorphic - they only implement variable encryption keys and variable renaming, as weak polymorphic DOS viruses have done in the past.

However it would not be much of a challenge to make those scripts truly polymorphic.

The bottom line is that it could become a serious challenge to AV companies relying on pattern based signatures and binary emulators, whenever someone starts to seed it aggressively along with implementing some advanced polymorphism in the Javascript generation.

Use of this site is governed by our Terms of Use and Privacy Policy.
Copyright 1996- Ziff Davis, LLC. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission
of Ziff Davis, LLC. is prohibited.PCMag Digital GroupAdChoice